This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark doesn’t read same IPv6 fragment offset value from pcap as microsoft network monitor

0

I found an interesting issue from below pcap log: https://www.dropbox.com/s/g7fgpmhcepy2yw5/04_05_FragmentHeader.cap?dl=0

For 2nd packet, wireshark reads fragment offset value in fragment reader as '181' while Microsoft Network Monitor interpret it as '1448'. It looks like a bug to me.

Wondering anyone else is seeing the same ?

PS: I am using Version 1.12.1 (v1.12.1-0-g01b65bf from master-1.12)

asked 04 Feb '15, 18:07

Gallon's gravatar image

Gallon
16557
accept rate: 0%

One Answer:

2

Per RFC 2460:

Fragment Offset: 13-bit unsigned integer.  The offset, in 8-octet
                 units, of the data following this header,
                 relative to the start of the Fragmentable Part
                 of the original packet.

What Wireshark is displaying is the raw value in 8 bytes unit, not the number of bytes. 181*8 = 1448.

answered 05 Feb '15, 01:47

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%